[389-users] Fwd: Some cipher suites not working
Darcy Hodgson
darcy at darcyhodgson.com
Fri Jul 19 14:38:22 UTC 2013
On Fri, Jul 19, 2013 at 10:00 AM, Rich Megginson <rmeggins at redhat.com>wrote:
> On 07/19/2013 06:43 AM, Darcy Hodgson wrote:
>
> Hello,
>
> I have been setting up SSL/TLS with 389 DS on CentOS 6.4. I have been able
> to get it working and can connect with LDAPS. However when I started to
> disabled some of the ciphers I noticed that my server wasn't accepting any
> of the DHE ciphers. I enabled all the ciphers with +all and used sslmap to
> confirm that the server was only choosing RSA.
>
> I checked the logs and the only thing they say is "Cannot communicate
> securely with peer: no common encryption algorithm(s)."
>
> Any help getting the DHE ciphers to work or pointing me to some
> documentation would be appreciated.
>
>
> Can you please provide the exact steps to reproduce the issue? Please
> include the versions of the nspr, nss, openldap, and 389-ds-base packages.
> Have you tried openssl s_client?
>
>
>
> Thanks,
>
> Darcy
>
>
> Here is the requested software installed.
openssh-5.3p1-84.1.el6.x86_64
389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
openssh-clients-5.3p1-84.1.el6.x86_64
nspr-4.9.2-1.el6.x86_64
nss-sysinit-3.14.0.0-12.el6.x86_64
openldap-2.4.23-32.el6_4.1.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
openssh-server-5.3p1-84.1.el6.x86_64
nss-softokn-3.12.9-11.el6.x86_64
openldap-clients-2.4.23-32.el6_4.1.x86_64
389-ds-base-1.2.11.15-14.el6_4.x86_64
nss-util-3.14.0.0-2.el6.x86_64
nss-3.14.0.0-12.el6.x86_64
openssl-1.0.0-27.el6_4.2.x86_64
nss-tools-3.14.0.0-12.el6.x86_64
Here is my encryption settings.
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
nsSSL3Ciphers: +all
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config
createTimestamp: 20130702171319Z
modifyTimestamp: 20130702171319Z
numSubordinates: 1
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: test-cert
nsSSLToken: internal (software)
nsSSLActivation: on
I installed everything via Yum and only added the encryption settings and
"nsslapd-security: on" after going through the setup-ds script.
When I run openssl s_client -connect localhost:636 it connects fine with
AES256-SHA
When I specify a cipher it fails the handshake.
root at ldap01 ~]# openssl s_client -connect localhost:636 -cipher
DHE-DSS-AES128-SHA
CONNECTED(00000003)
139667370157896:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:674:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 58 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[root at ldap01 ~]#
I checked on the redhat site and DHE-DSS-AES128-SHA should be included
(tls_dhe_dss_aes_128_sha).
-Darcy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130719/ec02eef4/attachment.html>
More information about the 389-users
mailing list